Feature #507
closedImplement/test "fail-open" option
Description
A new feature has recently been introduced in NFQUEUE. It is possible to accept packets when the queue is full. This could be useful in Suricata when admin wants to privilege network behavior over security.
More information and patch: http://www.digipedia.pl/usenet/thread/16261/26536/
Files
Updated by Victor Julien over 11 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
- Target version set to 1.4beta1
Updated by Eric Leblond over 11 years ago
The associated patch is in 3.6-rc1, I don't think this will be in an official kernel before the release of 1.4beta1.
No problem on my side to work on a git Linux but this will be more difficult for testers.
Maybe we could postpone this to a beta2 ?
Updated by Victor Julien over 11 years ago
If the API is likely to remain the same I have no problem with already supporting it now.
Updated by Eric Leblond over 11 years ago
I've implemented this and tested it using latest Linux git and latest libnetfilter_queue git. And it works:
# scp on lo with MTU at 100 # With fail-open root@test-squeeze:~# scp linux-image-3.*deb localhost:/tmp linux-image-3.3.0-rc3noct+_3.3.0-rc3noct+-10.00.Custom_amd64.deb 100% 31MB 3.5MB/s 00:09 linux-image-3.6.0-rc1-netfilter+_3.6.0-rc1-netfilter+-10.00.Custom_amd64.deb 100% 30MB 3.3MB/s 00:09 # Without fail-open root@test-squeeze:~# scp linux-image-3.*deb localhost:/tmp linux-image-3.3.0-rc3noct+_3.3.0-rc3noct+-10.00.Custom_amd64.deb 100% 31MB 504.7KB/s 01:03 linux-image-3.6.0-rc1-netfilter+_3.6.0-rc1-netfilter+-10.00.Custom_amd64.deb 100% 30MB 513.6KB/s 00:59
The attached patch is the implementation.
Please note, there is no possibility to detect that the feature is not available in kernel.
Updated by Eric Leblond over 11 years ago
pull request on github: https://github.com/inliniac/suricata/pull/6
Updated by Victor Julien over 11 years ago
- Status changed from Assigned to Closed
Merged. Thanks Eric!